Why Didn’t You Exploit IE?

At the CanSecWest Security Conference in Vancouver this week, Charlie Miller made headlines by exploiting a Safari vulnerability on a fully patched Mac OS X system with a fully patched Safari web browser in mere seconds to claim the Pwn2Own prize. Ryan Naraine interviewed Charlie Miller for a ZDNet article and asked him why he exploited Safari- why not exploit Internet Explorer or Firefox. His answer?

“It’s really simple. Safari on the Mac is easier to exploit.  The things that Windows do to make it harder (for an exploit to work), Macs don’t do.  Hacking into Macs is so much easier. You don’t have to jump through hoops and deal with all the anti-exploit mitigations you’d find in Windows.

It’s more about the operating system than the (target) program.  Firefox on Mac is pretty easy too.  The underlying OS doesn’t have anti-exploit stuff built into it.

With my Safari exploit, I put the code into a process and I know exactly where it’s going to be.  There’s no randomization. I know when I jump there, the code is there and I can execute it there.  On Windows, the code might show up but I don’t know where it is.  Even if I get to the code, it’s not executable.  Those are two hurdles that Macs don’t have.”

This is a commentary on Windows more than Internet Explorer. As Miller pointed out, “it’s more about the operating system than the program”. This is a testament to the security controls in place in Windows Vista and Windows 7. The combination of least privilege access enforced by UAC, with DEP (data execution prevention), ASLR (address space layout randomization), and Protected Mode IE provide additional layers of protection which make it harder to exploit vulnerable software. It was the ASLR in particular that Miller pointed out as the hoop that complicates exploits on Windows.

Miller even goes on to suggest that Firefox, and particularly Google’s Chrome browser might be even harder than Internet Explorer to exploit, but its primarily due to the hoops an attacker would have to jump through to exploit a vulnerability in Windows. Seems like fairly high praise for Microsoft’s efforts to build a more secure operating system, especially coming from the guy who just blew a fully patched Mac OS X with a fully patched Safari web browser out of the water in under a minute.

Follow me on Twitter


2 thoughts on “Why Didn’t You Exploit IE?

  1. According to an independent research IE is much easier to exploit as compare to other browsers. IE is 300 % more vulnerable to threats as compare to firefox. The new version of IE will be more secure and give extra security protection.

  2. I think that point was made in the article I posted. Maybe not in those terms (there are certainly a variety of surveys and such with different results about which browser has the most holes), but Miller did say that both Firefox and Chrome are more secure than IE.

    The ‘300%’ figure is entirely arbitrary without the underlying methodology and data the figure was derived from, but the 300% is also irrelevant to this post. The point of the post is not that IE is the most secure browser. The point of the post is that ANY browser on Windows is more secure than a browser on Mac OS X because Mac OS X does not have any security mitigation to compare with DEP, ASLR, etc. in Windows Vista and Windows 7.

Leave a Reply

Your email address will not be published. Required fields are marked *